Page 1 of 1

tls-crypt-v2 with openvpn service

Posted: Tue Nov 09, 2021 11:09 am
by cryptomon
Summary:
Following the blog https://cryptostorm.is/blog/tlscryptv2 for tls-crypt-v2 setup using the command line in bash under "For everyone else". I use the steps given as:

Code: Select all

wget -O tcv2.key https://cryptostorm.is/tlscryptv2
openvpn --config whatever.ovpn --tls-crypt-v2 tcv2.key
except for the fact i need to modify the connect using a service file.
openvpn-client@.service
where my override.conf file is modified to be

Code: Select all

[Service]
ExecStart=
ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --tls-crypt-v2 tcv2.key
However, I git this error:'
openvpn[]: Options error: --tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode

I'm applying something wrong here. Is the openvpn command above meant to replace the tls-crypt-v1 certificate or do I still need to modify the .conf file? Not sure why I get this error, if someone might have a suggestion?

Re: tls-crypt-v2 with openvpn service

Posted: Sat Nov 13, 2021 7:18 pm
by cryptomon
Okay the solution I've found after following the guidelines for the manual method was that when applying the command

Code: Select all

openvpn --config whatever.ovpn --tls-crypt-v2 tcv2.key
which in my case was as shown above using override.conf service file, one must have also deleted the existing key in the given config file. I did this using the sed command

Code: Select all

sed -i '/<tls-crypt>/,/<\/tls-crypt>/d' "<whatever>.conf"

Re: tls-crypt-v2 with openvpn service

Posted: Fri Nov 19, 2021 2:15 am
by df
Yea, "openvpn[]: Options error: --tls-crypt-v2, --tls-auth and --tls-crypt are mutually exclusive in client mode" means you can only have tls-crypt or tls-crypt-v2, but not both.
If you're in a directory that contains a bunch of .ovpn configs with the old <tls-crypt> tags, you can use something like this to replace them all with tls-crypt-v2:

wget -qO/tmp/tlskey https://cryptostorm.is/tlscryptv2 # first download a tls-crypt-v2 key
find . -type f -name '*.ovpn' -exec sed -e '/<tls-crypt>/,/<\/tls-crypt>/d' -e '/<\/ca>/a <tls-crypt-v2>\n<\/tls-crypt-v2>' -i {} \; -exec sed -e '/<tls-crypt-v2>/r /tmp/tlskey' -i {} \;

Re: tls-crypt-v2 with openvpn service

Posted: Sat Nov 20, 2021 5:33 am
by cryptomon
Thanks for the feedback